exploit the possibilities
Showing 26 - 50 of 100 RSS Feed

Files

Adobe Flash Player DeleteRangeTimelineOperation Type Confusion
Posted Feb 9, 2019
Authored by bcook-r7, Genwei Jiang | Site metasploit.com

This Metasploit module exploits a type confusion on Adobe Flash Player, which was originally found being successfully exploited in the wild. This module has been tested successfully on: macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182, Firefox and Adobe Flash Player 21.0.0.182.

tags | exploit
advisories | CVE-2016-4117
MD5 | 4572485ddc8d1b209fd619e0f8397d3d

Related Files

Windows Escalate Task Scheduler XML Privilege Escalation
Posted Jul 19, 2012
Authored by jduck | Site metasploit.com

This Metasploit module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2010-3338, OSVDB-68518
MD5 | 985eb9053e6cd158c35c0837cbba1589
Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow
Posted Jul 19, 2012
Authored by Stephen Fewer, juan | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x06 (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).

tags | exploit, remote, overflow, tcp
systems | windows
advisories | OSVDB-65361
MD5 | f34f24fcc433e4b088d9cd6e4754435b
Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow
Posted Jul 19, 2012
Authored by Stephen Fewer, juan | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x21 (PROXY_CMD_FTP_FILE) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).

tags | exploit, remote, overflow, tcp
systems | windows
advisories | OSVDB-65361
MD5 | 152908928a9c6adae51d63c01d75b875
Setuid Nmap Exploit
Posted Jul 19, 2012
Authored by egypt | Site metasploit.com

Nmap's man page mentions that "Nmap should never be installed with special privileges (e.g. suid root) for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This Metasploit module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.

tags | exploit, root, perl, ruby
systems | unix
MD5 | 451cc1f390a0ee0ae43183a67ef08439
ALLMediaServer 0.8 Buffer Overflow
Posted Jul 16, 2012
Authored by modpr0be, juan vazquez, motaz reda | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't reliable across virtual (VMWare, VirtualBox) and physical environments. Because of this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default DEP is OptIn and AllMediaServer won't run with DEP.

tags | exploit, web, overflow
systems | windows, 7
MD5 | 59ea30c205258988554bd473b89706e9
Siemens Simatic S7-1200 CPU START/STOP Module
Posted Jul 16, 2012
Authored by Dillon Beresford | Site metasploit.com

The Siemens Simatic S7-1200 S7 CPU start and stop functions over ISO-TSAP this modules allows an attacker to perform administrative commands without authentication. This Metasploit module allows a remote user to change the state of the PLC between STOP and START, allowing an attacker to end process control by the PLC.

tags | exploit, remote
MD5 | a341cf2fac3b420d88e2f3a792a5a068
Siemens Simatic S7-300/400 CPU START/STOP Module
Posted Jul 16, 2012
Authored by Dillon Beresford | Site metasploit.com

The Siemens Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAP this modules allows an attacker to perform administrative commands without authentication. This Metasploit module allows a remote user to change the state of the PLC between STOP and START, allowing an attacker to end process control by the PLC.

tags | exploit, remote
MD5 | 1411a241bc03de698cd3e74a5ed68f7b
Siemens Simatic S7-300 PLC Remote Memory Viewer
Posted Jul 14, 2012
Authored by Dillon Beresford | Site metasploit.com

This Metasploit module attempts to authenticate using a hard-coded backdoor password in the Simatic S7-300 PLC and dumps the device memory using system commands.

tags | exploit
MD5 | 877d8e1cb2ff5ea6be0407d60594b671
WordPress Generic Plugin Shell Upload
Posted Jul 13, 2012
Authored by KedAns-Dz

This Metasploit module exploits an arbitrary PHP File Upload and Code Execution flaw in some WordPress blog software plugins. The vulnerability allows for arbitrary file upload and remote code execution POST Data to Vulnerable Script/File in the plugin.

tags | exploit, remote, arbitrary, php, code execution, file upload
MD5 | 6e5db5ab504788fb9b8796603515439f
Hastymail 2.1.1 RC1 Command Injection
Posted Jul 13, 2012
Authored by juan vazquez, Bruno Teixeira | Site metasploit.com

This Metasploit module exploits a command injection vulnerability found in Hastymail 2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on the "lib/ajax_functions.php" script. Authentication is required on Hastymail in order to exploit the vulnerability. The module has been successfully tested on Hastymail 2.1.1 RC1 over Ubuntu 10.04.

tags | exploit, php
systems | linux, ubuntu
advisories | CVE-2011-4542, OSVDB-77331
MD5 | 8de106ad76c49f177614da33c8cc8e7d
Java Applet Field Bytecode Verifier Cache Remote Code Execution
Posted Jul 10, 2012
Authored by Stefan Cornelius, sinn3r, juan vazquez, littlelightlittlefire, mihi | Site metasploit.com

This Metasploit module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

tags | exploit
advisories | CVE-2012-1723, OSVDB-82877
MD5 | 94d1b02973615daa0c50e2dd0f511b93
AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution
Posted Jul 9, 2012
Authored by rgod, juan | Site metasploit.com

This Metasploit module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run arbitrary commands on the victim machine. This Metasploit module has been successfully tested with the ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.

tags | exploit, remote, arbitrary, activex
systems | windows, xp
advisories | CVE-2011-2657, OSVDB-76700
MD5 | 66c6a3ef11bb525cd8be0342facce81f
Poison Ivy 2.3.2 C&C Server Buffer Overflow
Posted Jul 6, 2012
Authored by juan vazquez, Gal Badishi, Andrzej Dereszowski | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The exploit does not need to know the password chosen for the bot/server communication. If the C&C is configured with the default 'admin' password, the exploit should work fine. In case of the C&C configured with another password the exploit can fail. The 'check' command can be used to determine if the C&C target is using the default 'admin' password. Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread responsible of handling the connection. Because of this the module provides the RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header will be used. If the bruteforce target is selected, a random header will be sent in case the default for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a session obtained.

tags | exploit, overflow
MD5 | b8ca3ffa1d3da60d8b3f9b99912ede26
Umbraco CMS Remote Command Execution
Posted Jul 6, 2012
Authored by juan vazquez, Toby Clarke | Site metasploit.com

This Metasploit module can be used to execute a payload on Umbraco CMS 4.7.0.378. The payload is uploaded as an ASPX script by sending a specially crafted SOAP request to codeEditorSave.asmx, which permits unauthorised file upload via the SaveDLRScript operation. SaveDLRScript is also subject to a path traversal vulnerability, allowing code to be placed into the web-accessible /umbraco/ directory. The module writes, executes and then overwrites an ASPX script; note that though the script content is removed, the file remains on the target. Automatic cleanup of the file is intended if a meterpreter payload is used. This Metasploit module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows 7 32-bit SP1. In this scenario, the "IIS APPPOOL\ASP.NET v4.0" user must have write permissions on the Windows Temp folder.

tags | exploit, web, asp, file upload
systems | windows, 7
MD5 | 55b249c7b416e0039642bb1ad643fe1b
Tiki Wiki <= 8.3 unserialize() PHP Code Execution
Posted Jul 6, 2012
Authored by EgiX, juan vazquez | Site metasploit.com

This Metasploit module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php version older than 5.3.4 must be used to allow poison null bytes in filesystem related functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.

tags | exploit, web, arbitrary, php
systems | linux, ubuntu
advisories | CVE-2012-0911
MD5 | f2b5160e61e85582844eefb51772013f
Basilic 1.5.14 diff.php Arbitrary Command Execution
Posted Jul 6, 2012
Authored by Larry W. Cashdollar, sinn3r, juan vasquez | Site metasploit.com

This Metasploit module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.

tags | exploit, arbitrary, php
MD5 | 9d16ea294133914f3b79a69c57218572
IBM Rational ClearQuest CQOle Remote Code Execution
Posted Jul 3, 2012
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest versions prior to 7.1.1.9, 7.1.2.6 or 8.0.0.2 which allows reliable remote code execution when DEP is not enabled.

tags | exploit, remote, code execution, activex
advisories | CVE-2012-0708, OSVDB-81443
MD5 | dd271a1d2fe6b774198c249d9775242f
HP Data Protector Create New Folder Buffer Overflow
Posted Jul 2, 2012
Authored by sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this insecure copy. Because of this, this module uses egg hunting to search a non corrupted copy of the payload in the heap. On the other hand the overflowed buffer is stored in a frame protected by stack cookies, because of this SEH handler overwrite is used. Any user of HP Data Protector Express is able to create new folders and trigger the vulnerability. Moreover, in the default installation the 'Admin' user has an empty password. Successful exploitation will lead to code execution with the privileges of the "dpwinsdr.exe" (HP Data Protector Express Domain Server Service) process, which runs as SYSTEM by default.

tags | exploit, overflow, code execution
advisories | CVE-2012-0124, OSVDB-80105
MD5 | 3e8a696e7dabdf035e54f1e3e2a26123
Irfanview JPEG2000 4.3.2.0 jp2 Stack Buffer Overflow
Posted Jul 2, 2012
Authored by Parvez Anwar, mr_me, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow vulnerability in versions 4.3.2.0 and below of Irfanview's JPEG2000.dll plugin. This exploit has been tested on a specific version of irfanview (v4.3.2), although other versions may work also. The vulnerability is triggered via parsing an invalid qcd chunk structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon and drag/drop the file into Irfanview\'s window. An egg hunter is used for stability.

tags | exploit, overflow
advisories | CVE-2012-0897, OSVDB-78333
MD5 | ac999f1315054da78d784401745cfa8e
Apple QuickTime TeXML Stack Buffer Overflow
Posted Jun 29, 2012
Authored by sinn3r, Alexander Gavrun, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. The flaw is generally known as a bug while processing the 'transform' attribute, however, that attack vector seems to only cause a TerminateProcess call due to a corrupt stack cookie, and more data will only trigger a warning about the malformed XML file. This Metasploit module exploits the 'color' value instead, which accomplishes the same thing.

tags | exploit, overflow, arbitrary, code execution
systems | apple
advisories | CVE-2012-0663, OSVDB-81934
MD5 | 85791f9a94c2dae702f38a6997745009
Openfire Admin Console Authentication Bypass
Posted Jun 29, 2012
Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This Metasploit module has been tested against Openfire 3.6.0a. It is possible to remove the uploaded plugin after execution, however this might turn the server in some kind of unstable state, making re-exploitation difficult. You might want to do this manually.

tags | exploit, java, arbitrary, bypass
advisories | CVE-2008-6508, OSVDB-49663
MD5 | 99330c91d94ab9d7d7a596c52a05bf81
SugarCRM 6.3.1 unserialize() PHP Code Execution
Posted Jun 27, 2012
Authored by EgiX, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a php unserialize() vulnerability in SugarCRM versions 6.3.1 and below which could be abused to allow authenticated SugarCRM users to execute arbitrary code with the permissions of the webserver. The dangerous unserialize() exists in the 'include/MVC/View/views/view.list.php' script, which is called with user controlled data from the 'current_query_by_page' parameter. The exploit abuses the __destruct() method from the SugarTheme class to write arbitrary PHP code to a 'pathCache.php' on the web root.

tags | exploit, web, arbitrary, root, php
advisories | CVE-2012-0694
MD5 | 7d01dafa74c844c1735769142b67e3ac
Adobe Flash Player Object Type Confusion
Posted Jun 23, 2012
Authored by sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 "_error" response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "World Uyghur Congress Invitation.doc" e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2012-0779, OSVDB-81656
MD5 | 9cd671aa77da3f3cf74a6b14f286d9ce
iTunes Extended M3U Stack Buffer Overflow
Posted Jun 21, 2012
Authored by Rh0 | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an "#EXTINF:" tag description, iTunes will copy the content after "#EXTINF:" without appropriate checking from a heap buffer to a stack buffer and write beyond the stack buffers boundary. This allows arbitrary code execution. The Windows XP target has to have QuickTime 7.7.2 installed for this module to work. It uses a ROP chain from a non safeSEH enabled DLL to bypass DEP and safeSEH. The stack cookie check is bypassed by triggering a SEH exception.

tags | exploit, overflow, arbitrary, code execution
systems | windows, xp
MD5 | f3b086d0b82646b5e9b9707b6ff449e4
Adobe Flash Player AVM Verification Logic Array Indexing Code Execution
Posted Jun 20, 2012
Authored by mr_me | Site metasploit.com

This Metasploit module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for attacks against Korean based organizations. Specifically, this issue occurs when indexing an array using an arbitrary value, memory can be referenced and later executed. Taking advantage of this issue does not rely on heap spraying as the vulnerability can also be used for information leakage. Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and is very reliable.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2011-2110, OSVDB-48268
MD5 | b46d9ba42fe0fc20dbe3a4cb42ab96fa
Page 2 of 4
Back1234Next

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close